Examples with Resource org.keycloak.authorization.model.Resource used on opensource projects

Search in sources :

Example 46 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class DefaultPolicyEvaluator method evaluate.

@Override
public void evaluate(ResourcePermission permission, AuthorizationProvider authorizationProvider, EvaluationContext executionContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> decisionCache) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    ResourceServer resourceServer = permission.getResourceServer();
    PolicyEnforcementMode enforcementMode = resourceServer.getPolicyEnforcementMode();
    if (PolicyEnforcementMode.DISABLED.equals(enforcementMode)) {
        grantAndComplete(permission, authorizationProvider, executionContext, decision);
        return;
    }
    // if marked as granted we just complete the evaluation
    if (permission.isGranted()) {
        grantAndComplete(permission, authorizationProvider, executionContext, decision);
        return;
    }
    AtomicBoolean verified = new AtomicBoolean();
    Consumer<Policy> policyConsumer = createPolicyEvaluator(permission, authorizationProvider, executionContext, decision, verified, decisionCache);
    Resource resource = permission.getResource();
    if (resource != null) {
        policyStore.findByResource(resource.getId(), resourceServer.getId(), policyConsumer);
        if (resource.getType() != null) {
            policyStore.findByResourceType(resource.getType(), resourceServer.getId(), policyConsumer);
            if (!resource.getOwner().equals(resourceServer.getId())) {
                for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
                    policyStore.findByResource(typedResource.getId(), resourceServer.getId(), policyConsumer);
                }
            }
        }
    }
    Collection<Scope> scopes = permission.getScopes();
    if (!scopes.isEmpty()) {
        policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId(), policyConsumer);
    }
    if (verified.get()) {
        decision.onComplete(permission);
        return;
    }
    if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode)) {
        grantAndComplete(permission, authorizationProvider, executionContext, decision);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceServer(org.keycloak.authorization.model.ResourceServer) PolicyEnforcementMode(org.keycloak.representations.idm.authorization.PolicyEnforcementMode)

Example 47 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class AuthorizationBean method toResourceRepresentation.

private Collection<ResourceBean> toResourceRepresentation(List<PermissionTicket> tickets) {
    Map<String, ResourceBean> requests = new HashMap<>();
    for (PermissionTicket ticket : tickets) {
        Resource resource = ticket.getResource();
        if (!resource.isOwnerManagedAccess()) {
            continue;
        }
        requests.computeIfAbsent(resource.getId(), resourceId -> getResource(resourceId)).addPermission(ticket, authorization);
    }
    return requests.values();
}
Also used : ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Date(java.util.Date) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) ResolveRelative(org.keycloak.services.util.ResolveRelative) UserModel(org.keycloak.models.UserModel) Map(java.util.Map) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Time(org.keycloak.common.util.Time) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) Set(java.util.Set) KeycloakSession(org.keycloak.models.KeycloakSession) Collectors(java.util.stream.Collectors) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) UriInfo(javax.ws.rs.core.UriInfo) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) HashMap(java.util.HashMap) Resource(org.keycloak.authorization.model.Resource)

Example 48 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class ExportUtils method exportAuthorizationSettings.

public static ResourceServerRepresentation exportAuthorizationSettings(KeycloakSession session, ClientModel client) {
    AuthorizationProviderFactory providerFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
    AuthorizationProvider authorization = providerFactory.create(session, client.getRealm());
    StoreFactory storeFactory = authorization.getStoreFactory();
    ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findByClient(client);
    if (settingsModel == null) {
        return null;
    }
    ResourceServerRepresentation representation = toRepresentation(settingsModel, client);
    representation.setId(null);
    representation.setName(null);
    representation.setClientId(null);
    List<ResourceRepresentation> resources = storeFactory.getResourceStore().findByResourceServer(settingsModel.getId()).stream().map(resource -> {
        ResourceRepresentation rep = toRepresentation(resource, settingsModel.getId(), authorization);
        if (rep.getOwner().getId().equals(settingsModel.getId())) {
            rep.setOwner((ResourceOwnerRepresentation) null);
        } else {
            rep.getOwner().setId(null);
        }
        rep.getScopes().forEach(scopeRepresentation -> {
            scopeRepresentation.setId(null);
            scopeRepresentation.setIconUri(null);
        });
        return rep;
    }).collect(Collectors.toList());
    representation.setResources(resources);
    List<PolicyRepresentation> policies = new ArrayList<>();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> !policy.getType().equals("resource") && !policy.getType().equals("scope") && policy.getOwner() == null).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
    policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> (policy.getType().equals("resource") || policy.getType().equals("scope") && policy.getOwner() == null)).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
    representation.setPolicies(policies);
    List<ScopeRepresentation> scopes = storeFactory.getScopeStore().findByResourceServer(settingsModel.getId()).stream().map(scope -> {
        ScopeRepresentation rep = toRepresentation(scope);
        rep.setPolicies(null);
        rep.setResources(null);
        return rep;
    }).collect(Collectors.toList());
    representation.setScopes(scopes);
    return representation;
}
Also used : ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Version(org.keycloak.common.Version) RoleContainerModel(org.keycloak.models.RoleContainerModel) Map(java.util.Map) ModelToRepresentation.toRepresentation(org.keycloak.models.utils.ModelToRepresentation.toRepresentation) CredentialRepresentation(org.keycloak.representations.idm.CredentialRepresentation) UserConsentRepresentation(org.keycloak.representations.idm.UserConsentRepresentation) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ClientScopeModel(org.keycloak.models.ClientScopeModel) RealmModel(org.keycloak.models.RealmModel) FederatedIdentityRepresentation(org.keycloak.representations.idm.FederatedIdentityRepresentation) Collection(java.util.Collection) AuthorizationProviderFactory(org.keycloak.authorization.AuthorizationProviderFactory) Set(java.util.Set) RoleModel(org.keycloak.models.RoleModel) PolicyStore(org.keycloak.authorization.store.PolicyStore) Collectors(java.util.stream.Collectors) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) List(java.util.List) Stream(java.util.stream.Stream) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Profile(org.keycloak.common.Profile) JsonGenerator(com.fasterxml.jackson.core.JsonGenerator) ScopeMappingRepresentation(org.keycloak.representations.idm.ScopeMappingRepresentation) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) UserModel(org.keycloak.models.UserModel) ComponentExportRepresentation(org.keycloak.representations.idm.ComponentExportRepresentation) JsonEncoding(com.fasterxml.jackson.core.JsonEncoding) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) LinkedList(java.util.LinkedList) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ResourceServer(org.keycloak.authorization.model.ResourceServer) FederatedIdentityModel(org.keycloak.models.FederatedIdentityModel) OutputStream(java.io.OutputStream) RolesRepresentation(org.keycloak.representations.idm.RolesRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) CredentialModel(org.keycloak.credential.CredentialModel) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) KeycloakSession(org.keycloak.models.KeycloakSession) IOException(java.io.IOException) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) JsonFactory(com.fasterxml.jackson.core.JsonFactory) SerializationFeature(com.fasterxml.jackson.databind.SerializationFeature) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) Resource(org.keycloak.authorization.model.Resource) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ArrayList(java.util.ArrayList) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) AuthorizationProviderFactory(org.keycloak.authorization.AuthorizationProviderFactory) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 49 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class AccountFormService method processResourceActions.

@Path("resource")
@POST
public Response processResourceActions(@FormParam("resource_id") String[] resourceIds, @FormParam("action") String action) {
    MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
    if (auth == null) {
        return login("resource");
    }
    auth.require(AccountRoles.MANAGE_ACCOUNT);
    csrfCheck(formData);
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
    if (action == null) {
        return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
    }
    for (String resourceId : resourceIds) {
        Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
        if (resource == null) {
            return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
        }
        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
        filters.put(PermissionTicket.FilterOption.REQUESTER, auth.getUser().getId());
        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
        if ("cancel".equals(action)) {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
        } else if ("cancelRequest".equals(action)) {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
        }
        for (PermissionTicket ticket : ticketStore.find(filters, resource.getResourceServer(), -1, -1)) {
            ticketStore.delete(ticket.getId());
        }
    }
    return forwardToPage("authorization", AccountPages.RESOURCES);
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) RealmsResource(org.keycloak.services.resources.RealmsResource) Resource(org.keycloak.authorization.model.Resource) EnumMap(java.util.EnumMap) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 50 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class AccountFormService method grantPermission.

@Path("resource/{resource_id}/grant")
@POST
public Response grantPermission(@PathParam("resource_id") String resourceId, @FormParam("action") String action, @FormParam("permission_id") String[] permissionId, @FormParam("requester") String requester) {
    MultivaluedMap<String, String> formData = request.getDecodedFormParameters();
    if (auth == null) {
        return login("resource");
    }
    auth.require(AccountRoles.MANAGE_ACCOUNT);
    csrfCheck(formData);
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
    Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null);
    if (resource == null) {
        return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
    }
    if (action == null) {
        return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
    }
    boolean isGrant = "grant".equals(action);
    boolean isDeny = "deny".equals(action);
    boolean isRevoke = "revoke".equals(action);
    boolean isRevokePolicy = "revokePolicy".equals(action);
    boolean isRevokePolicyAll = "revokePolicyAll".equals(action);
    if (isRevokePolicy || isRevokePolicyAll) {
        List<String> ids = new ArrayList<>(Arrays.asList(permissionId));
        Iterator<String> iterator = ids.iterator();
        PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
        Policy policy = null;
        while (iterator.hasNext()) {
            String id = iterator.next();
            if (!id.contains(":")) {
                policy = policyStore.findById(id, client.getId());
                iterator.remove();
                break;
            }
        }
        Set<Scope> scopesToKeep = new HashSet<>();
        if (isRevokePolicyAll) {
            for (Scope scope : policy.getScopes()) {
                policy.removeScope(scope);
            }
        } else {
            for (String id : ids) {
                scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(id.split(":")[1], client.getId()));
            }
            for (Scope scope : policy.getScopes()) {
                if (!scopesToKeep.contains(scope)) {
                    policy.removeScope(scope);
                }
            }
        }
        if (policy.getScopes().isEmpty()) {
            for (Policy associated : policy.getAssociatedPolicies()) {
                policyStore.delete(associated.getId());
            }
            policyStore.delete(policy.getId());
        }
    } else {
        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
        filters.put(PermissionTicket.FilterOption.REQUESTER, session.users().getUserByUsername(realm, requester).getId());
        if (isRevoke) {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
        } else {
            filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
        }
        List<PermissionTicket> tickets = ticketStore.find(filters, resource.getResourceServer(), -1, -1);
        Iterator<PermissionTicket> iterator = tickets.iterator();
        while (iterator.hasNext()) {
            PermissionTicket ticket = iterator.next();
            if (isGrant) {
                if (permissionId != null && permissionId.length > 0 && !Arrays.asList(permissionId).contains(ticket.getId())) {
                    continue;
                }
            }
            if (isGrant && !ticket.isGranted()) {
                ticket.setGrantedTimestamp(System.currentTimeMillis());
                iterator.remove();
            } else if (isDeny || isRevoke) {
                if (permissionId != null && permissionId.length > 0 && Arrays.asList(permissionId).contains(ticket.getId())) {
                    iterator.remove();
                }
            }
        }
        for (PermissionTicket ticket : tickets) {
            ticketStore.delete(ticket.getId());
        }
    }
    if (isRevoke || isRevokePolicy || isRevokePolicyAll) {
        return forwardToPage("resource", AccountPages.RESOURCE_DETAIL);
    }
    return forwardToPage("resource", AccountPages.RESOURCES);
}
Also used : OTPPolicy(org.keycloak.models.OTPPolicy) Policy(org.keycloak.authorization.model.Policy) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) RealmsResource(org.keycloak.services.resources.RealmsResource) Resource(org.keycloak.authorization.model.Resource) ArrayList(java.util.ArrayList) Scope(org.keycloak.authorization.model.Scope) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) PolicyStore(org.keycloak.authorization.store.PolicyStore) EnumMap(java.util.EnumMap) HashSet(java.util.HashSet) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Aggregations

Resource (org.keycloak.authorization.model.Resource)87 ResourceServer (org.keycloak.authorization.model.ResourceServer)51 Policy (org.keycloak.authorization.model.Policy)45 Scope (org.keycloak.authorization.model.Scope)44 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)27 ResourceStore (org.keycloak.authorization.store.ResourceStore)27 StoreFactory (org.keycloak.authorization.store.StoreFactory)26 ArrayList (java.util.ArrayList)22 ClientModel (org.keycloak.models.ClientModel)22 List (java.util.List)20 HashSet (java.util.HashSet)19 Map (java.util.Map)19 UserModel (org.keycloak.models.UserModel)18 RealmModel (org.keycloak.models.RealmModel)16 HashMap (java.util.HashMap)15 Set (java.util.Set)15 EnumMap (java.util.EnumMap)14 Collectors (java.util.stream.Collectors)14 Path (javax.ws.rs.Path)13 PolicyStore (org.keycloak.authorization.store.PolicyStore)13
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial